Encrypt and Secure Your Electronic Protected Health Information Now: DHHS Issues Breach Notification Interim Rule

The Department of Health and Human Services has issued it Interim Rule on Breach Notification, concerning protocols for notifying patients or health plan subscribers that their has been a breach in the protection of their Protected Health Information (“PHI”). The regulations, issued August 24, 2009 are now effective, though the Department will continue to receive comments for another 30 days. The Interim Rule delineates the criteria for notification to DHHS of a breach of “unsecured” health information.

The crux of the Interim Rule, published on August 24, 2009 in Vol. 74, No. 162, at 42740, entitled “Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” may be found in the definition of “unsecured” PHI. The requirement for breach notification was contained in the Health Information Technology for Economic and Clinical Health Act, (“HITECH Act”), a part of the American Recovery and Reinvestment Act of 2009 (“ARRA,” colloquially known as the “Stimulus Package”). HIPAA covered entities, such as health care providers and health plans, and their business associates, are required to notify affected patients or subscribers after discovering a breach of “unsecured personal information.” In some cases, notification to the media is required – something no entity would relish.

Notification, which closely follows the Breach Notification Rules of the Federal Trade Commission, is costly in terms of expense and loss of goodwill, so it is important to know the information to which it applies. In short, it applies to health information which is not encrypted or otherwise rendered unreadable or indecipherable. Section 13402(h) of the HITECH Act (“the Act”) defines unsecured protected health information as “information that is not secured through the use of a technology or methodology specified by the Secretary in guidance.” The first such Guidance was issued in the Federal Register on at 74 FR 19006, on April 27, 2009. Further clarification is offered in the Interim Rule.

DHHS spells out, in refreshingly clear prose, the benefits of protecting PHI in such locations as hard drives, electronic communications, and portable media, by encryption: “If a covered entity chooses to encrypt protected health information to comply with the (HIPAA) Security Rule, does so pursuant to this Guidance and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification . . . “ 74 F.R. at 42741-42742.
As the quantum of digital health information increases, as a result of funding provided by the Act, and that information is stored and transferred, covered entities should provide the ground rules and reasons for protection of PHI through encryption to their counsel, Risk Managers, IT offices and Records Managers.
I will have further comment on the Breach Notification Rule when the Final Rule is published.